MSCHAPv2 authentication not working

Question

I've been fighting with this for around a week now. I'm trying to get a RADIUS server to authenticate against our Samba-based Active Directory, but I can't get it to work. Because of our infrastructure, PAP will not work. Because AD does not offer a known good plaintext password, CHAP will not work. So this leaves MSCHAP.

The RADIUS server is on its own VM. Said VM is linked to the domain with Winbind. I have the following /etc/raddb/mods-available/mschap:

$ cat /etc/raddb/mods-available/mschap|grep -Ev '^\s*(#|$)'
mschap {
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "[domain]"
    winbind_retry_with_normalised_username = yes
    pool {
            start = ${thread[pool].start_servers}
            min = ${thread[pool].min_spare_servers}
            max = ${thread[pool].max_servers}
            spare = ${thread[pool].max_spare_servers}
            uses = 0
            retry_delay = 30
            lifetime = 86400
            cleanup_interval = 300
            idle_timeout = 600
    }
}

When I have a client attempt to authenticate, the relevant radiusd -X output is:

Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 22 from 192.168.6.179:43922 to 192.168.6.192:1812 length 180
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   NAS-Port = 15728668
(0)   NAS-Port-Type = Virtual
(0)   User-Name = "duncan"
(0)   Calling-Station-Id = "192.168.6.100"
(0)   Called-Station-Id = "192.168.6.179"
(0)   MS-CHAP-Challenge = 0x7fd91ada13b38b1800f2f5c1b9a107e4
(0)   MS-CHAP2-Response = 0x01000ff84b43a7f4d54b20da108b5f6a76480000000000000000b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0)   NAS-Identifier = "MikroTik"
(0)   NAS-IP-Address = 192.168.6.179
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap:    --> --username=duncan
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap:    --> --challenge=6c2a06548de859d5
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap:    --> --nt-response=b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> duncan
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 22 from 192.168.6.192:1812 to 192.168.6.179:43922 length 103
(0)   MS-CHAP-Error = "\001E=691 R=1 C=06f7ce6fa5be464d72e8def2f9634910 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 22 with timestamp +8
Ready to process requests

And the samba log level 5 output:

[2018/03/19 11:13:13.166062,  3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
  schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/GS-RADIUS
[2018/03/19 11:13:13.166160,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166171,  5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
  map_user_info_cracknames: Mapping user [AD]\[duncan] from workstation [\\GS-RADIUS]
  auth_check_password_send: mapped user is: [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166994,  5] ../source4/auth/ntlm/auth.c:67(auth_get_challenge)
  auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2018/03/19 11:13:13.167006,  5] ../lib/util/util.c:555(dump_data)
  [0000] 2D F2 C3 E3 15 05 ED 58                             -......X
[2018/03/19 11:13:13.167502,  2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user duncan
[2018/03/19 11:13:13.167518,  3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user duncan
[2018/03/19 11:13:13.167630,  5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
  Not updating badPwdCount on CN=duncan,CN=Users,DC=ad,DC=goldblattsystems,DC=com after wrong password
[2018/03/19 11:13:13.167656,  2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [AD\duncan] FAILED with error NT_STATUS_WRONG_PASSWORD
[2018/03/19 11:13:13.348906,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/19 11:13:13.348929,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

What's causing this? How can I fix it?

Answer 1

You need neither enable the ntlm_auth row in /etc/raddb/mods-available/mschap nor set ntlm auth = yes in your smb.conf. As MSCHAPv2 doesn't seem to support NTLMv2, you do need to set the following in your smb.conf:

ntlm auth = mschapv2-and-ntlmv2-only

To quote the smb.conf manpage:

”Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).”

However, with modern Sambas and recent versions of Freeradius you don't need to enable ntlm_auth explicitly, because Freeradius 3.0.8 and newer ones can talk to Winbind directly. Just remember to give it read permissions for Winbind's pipe! Eg. on Debian one could run setfacl -m u:freerad:rx /var/lib/samba/winbindd_privileged/.

All in all, all the changes to the mschap module config that I did to recieve Access-Accept from radtest -t mschap testaccount mypass 127.0.0.1 0 testing123 on a Debian Buster box running Samba as an AD DC and Freeradius are in the following diff:

diff --git a/freeradius/3.0/mods-available/mschap b/freeradius/3.0/mods-available/mschap
index d7efcb1..e297ed4 100644
--- a/freeradius/3.0/mods-available/mschap
+++ b/freeradius/3.0/mods-available/mschap
@@ -21,12 +21,12 @@ mschap {
        # if mppe is enabled require_encryption makes
        # encryption moderate
        #
-#      require_encryption = yes
+       require_encryption = yes

        # require_strong always requires 128 bit key
        # encryption
        #
-#      require_strong = yes
+       require_strong = yes

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
@@ -81,8 +81,8 @@ mschap {
        # or later to be installed. Make sure that ntlm_auth above is
        # commented out.
        #
-#      winbind_username = "%{mschap:User-Name}"
-#      winbind_domain = "%{mschap:NT-Domain}"
+       winbind_username = "%{mschap:User-Name}"
+       winbind_domain = "%{%{mschap:NT-Domain}:-MYDOMAIN}"

        # When using single sign-on with a winbind connection and the
        # client uses a different casing for the username than the
@@ -91,7 +91,7 @@ mschap {
        # user in the correct casing in the backend, and retry
        # authentication with that username.
        #
-#      winbind_retry_with_normalised_username = no
+       winbind_retry_with_normalised_username = yes

        #
        #  Information for the winbind connection pool.  The configuration

(Please note that winbind_retry_with_normalised_username is probably irrelevant in this testing context.)

MYDOMAIN is the domain name in the classic NT4-form, not in the Kerberos-like DOMAIN.TLD form. Even if you're not running Freeradius straight on the DC, the actual mschap module config of Freeradius should still be the same, as long as the server has joined the domain properly. If the DC is Windows, then there is obviously no smb.conf, but the ability to use NTLMv1 is dependent of the domain functional level and whether the user belongs to a protected user group.

Note that if MSCHAPv2 is going to be used for Wi-Fi authentication, it should only be used inside mutually authenticated tunnels to guard against fake access points. For the EAP types, see Wikipedia and for a summary of client restrictions, see the second answer in Why would you use EAP-TTLS instead of PEAP?

Answer 2

Setting ntlm auth = yes in the global section of smb.conf "fixed" it. I'd like to go back to disallowing ntlmv1 so if somebody has a way to get this working without ntlmv1 please post your own answer.